Malware merchants have matured and are more diversified and dangerous than ever

They are well organized. They pay close attention to product quality, working hard to make it effective and scalable. They are all about customer service, providing after-sales support. They even solicit the help of their customers in product development.

They are malware merchants; in the business of helping others steal from legitimate businesses and innocent consumers. And they have evolved to the point where they operate much like the legitimate software industry. It is possible to buy malware from what amounts to an app store, or to contract for malware as a service (MaaS).

"The life cycle of [malware] products is the most amazing aspect," writes Pierluigi Paganini, a certified ethical hacker and founder of Security Affairs in Italy, in an article posted this past week on Infosec Island. "From design to release to after-sales support, each stage is implemented in every detail with care and attention."

One of the most famous examples is the Zeus Trojan, designed to steal banking information, which can be customized with new features demanded by its customers. There are an estimated 3.6 million computers in the U.S. that have been compromised by Zeus botnets.

In early January, the Israel-based security firm Trusteer reported on a new version of the SpyEye Trojan that, somewhat like a security camera hack, swaps out banking web pages to prevent account holders from noticing that their money is gone.

Not that the botnet market is new. But it is maturing, and is more diversified and dangerous than ever.

Kevin McAleavey, cofounder and chief architect of the KNOS Project outside Albany, N.Y., who has spent more than a decade in antimalware product development and research, says this is a logical progression. "Today's 'professionals' were once amateurs, and by that I mean the authors of the malware itself," he says. "It should come as no surprise that what may have once been done 'for fun' can readily be monetized by criminal and government elements for their own purposes."

The modern malware developer and distributor, he says, is selling not just the malware itself, but "the means to keep it hidden and from being detected."

But, if these merchants of malware are operating like businesses, can't authorities just track them down and shut them down? Not so easily, it turns out. Most use the so-called "Onion Router," which lets users conduct business anonymously. "The only time one has a chance to track down individuals is when they rat each other out," says McAleavey.

It is not only the Onion Router, but the fact that they operate in countries where they are hard to reach -- Latvia, Lithuania, Ukraine, Brazil and others -- where McAleavey says enforcement is lax. "Generally, these 'kids' are smart and don't leave much in the way of tracking data," McAleavey says. "They know how to layer proxies to cause the trail to go cold. Some people working for antivirus companies have successfully managed to audit the trails only to find the perps pull up stakes and move elsewhere by the time the authorities actually show up."

The "app store" element of the business amounts to a detection test service, "where a site accepts uploads of packaged malware and tests it against every known antivirus engine with the latest updates and spits out who detected it and as what. So the kids go back, change the code and keep changing it until nobody detects it whereupon, it goes out."

Paganini reports that Zeus offshoot Citadel offers a basic bot builder and botnet administration panel for $2,399 plus a $125 monthly "rent." It also offers what McAleavey noted -- a module for $395 that, "allows botmasters to sign up for a service that automatically updates bot malware to evade the latest antivirus signatures."

What should enterprises and consumers do? All of the usual things -- don't open odd attachments, even from those you know. Stay away from sketchy websites. Keep your antivirus up to date.

Paganini recommends public awareness and alert networks spread through social media. He would also like to see task forces composed of members from various sectors like government, industry, health and the military, "since we are facing cross-sector threats."

But neither Paganini nor McAleavey is optimistic in the short run. "As long as there's ways to get into Windows, and money to be made doing so, there will be no shortage of malware authors and those willing to make money servicing them -- until the means of hijacking machines themselves is solved," McAleavey says.

Paganini says there are no products on the market now that are able to block an enemy that "grows day by day."

"We are completely unprepared," he says, to fight a "perfect business machine that moves an amount of money equal to the economies of several nations."